From a2454bfb88b5e1af67ff2a5fecaec1a215a0f80b Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 17 Jun 2024 12:19:45 +0200 Subject: [PATCH] Add test for ASN1_item_verify() This is a test for https://github.com/openssl/openssl/issues/24575 Original idea by Theo Buehler. --- test/x509_test.c | 82 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 82 insertions(+) diff --git a/test/x509_test.c b/test/x509_test.c index f5a67c63d994d9..49579c23cce53f 100644 --- a/test/x509_test.c +++ b/test/x509_test.c @@ -7,7 +7,14 @@ * https://www.openssl.org/source/license.html */ +#define OPENSSL_SUPPRESS_DEPRECATED /* EVP_PKEY_get1/set1_RSA */ + #include +#include +#include +#include +#include +#include "crypto/x509.h" /* x509_st definition */ #include "testutil.h" static EVP_PKEY *pubkey = NULL; @@ -114,6 +121,80 @@ static int test_x509_crl_tbs_cache(void) return ret; } +static const char *pss_cert = /* Self-signed cert with RSA-PSS signature */ + "-----BEGIN CERTIFICATE-----\n" + "MIIDUDCCAgSgAwIBAgIBATBBBgkqhkiG9w0BAQowNKAPMA0GCWCGSAFlAwQCAQUA\n" + "oRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogMCASAwFjEUMBIGA1UEAwwL\n" + "Um9vdCBQU1MgQ0EwIBcNMjQwNjE3MDk1ODEyWhgPMjEyNDA2MTgwOTU4MTJaMBYx\n" + "FDASBgNVBAMMC1Jvb3QgUFNTIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\n" + "CgKCAQEA9usPd4aHT/mTbny6MFtaYApJdpA8DheiKY9PRRt22Lu1YIIxHpwS4Jdq\n" + "WW69XES7il4d4eaFl/6n+TGGy2UuOZYeU6fVQ5mxJHDCDiY/UF7/F0ZIt18uqLhY\n" + "FpBv2y+iLGXIp+TrhmJ3NFxBqew9xEYkT44Jgd6pE+w4KXhQ0aY8AIi+d4i1Rp1B\n" + "PIlgtbByjnI68HCELg6jkqlCb8NL9kEtoK/M9dK7Hvff8g9fabK8lKlbxKFcLUwn\n" + "nsI+UyjsCGktmQ5ukRjjNXHDcwPhE797A6UIC4mwXITwAEmSYZaOzcKr95pdfFB0\n" + "zqBujjv6LUsgaIvFcUOWBuRYs1NZfwIDAQABoz8wPTAPBgNVHRMBAf8EBTADAQH/\n" + "MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUIQoxipZ4v088BcQ7vOvM5PttO8IwQQYJ\n" + "KoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglg\n" + "hkgBZQMEAgEFAKIDAgEgA4IBAQBJn4U+nCFESbThSVRJk7ZtTdCM3W6fevfwKee+\n" + "r48dqt6KbGAePmqwHTCj8ZPpDO9TyoTpPAJ/lGgYYgBjSwTQyZCF0N6uSpka5x4y\n" + "mxJMqZioaJ5Ctnyea5JZewcBq4c8pQCwAOMruyE0NedXPk7fuGnLCSCoRGJT9Nil\n" + "y4YfaL7gRLx0tpdC62HBA5EdO+SbJF+A/ah+lMMvcObR16Q2M/wHBe2n5dvSiBgC\n" + "LK4PbDDhxIasB4LlpCAuIEPL+g9zhBQDbpO7L6v8v60AzEz0zJVF8o/jFWEpCUr+\n" + "VxplcyaW5+TTXZ4yCbUkc97zy5wxAuzE7IGj0Yt0NWspXRbk\n" + "-----END CERTIFICATE-----\n"; + +static int test_asn1_item_verify(void) +{ + int ret = 0; + BIO *bio = NULL; + X509 *x509 = NULL; + const ASN1_BIT_STRING *sig = NULL; + const X509_ALGOR *alg = NULL; + EVP_PKEY *pkey; +#ifndef OPENSSL_NO_DEPRECATED_3_0 + RSA *rsa = NULL; +#endif + + if (!TEST_ptr(bio = BIO_new_mem_buf(pss_cert, -1)) + || !TEST_ptr(x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL)) + || !TEST_ptr(pkey = X509_get0_pubkey(x509))) + goto err; + +#ifndef OPENSSL_NO_DEPRECATED_3_0 + /* Issue #24575 requires legacy key but the test is useful anyway */ + if (!TEST_ptr(rsa = EVP_PKEY_get1_RSA(pkey))) + goto err; + + if (!TEST_int_gt(EVP_PKEY_set1_RSA(pkey, rsa), 0)) + goto err; +#endif + + X509_get0_signature(&sig, &alg, x509); + + if (!TEST_int_gt(ASN1_item_verify(ASN1_ITEM_rptr(X509_CINF), + (X509_ALGOR *)alg, (ASN1_BIT_STRING *)sig, + &x509->cert_info, pkey), 0)) + goto err; + + ERR_set_mark(); + if (!TEST_int_lt(ASN1_item_verify(ASN1_ITEM_rptr(X509_CINF), + (X509_ALGOR *)alg, (ASN1_BIT_STRING *)sig, + NULL, pkey), 0)) { + ERR_clear_last_mark(); + goto err; + } + ERR_pop_to_mark(); + + ret = 1; + + err: +#ifndef OPENSSL_NO_DEPRECATED_3_0 + RSA_free(rsa); +#endif + BIO_free(bio); + return ret; +} + int setup_tests(void) { const unsigned char *p; @@ -138,6 +219,7 @@ int setup_tests(void) ADD_TEST(test_x509_tbs_cache); ADD_TEST(test_x509_crl_tbs_cache); + ADD_TEST(test_asn1_item_verify); return 1; }